The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
Applications of the Internet of Things (IoT) are being discussed across the overall industry. For example, the application of the IoT is attempted in a remote management and control a facility that is hard to access, such as a dam, a nuclear power plant, and the like, and a traffic control system, as well as a personal device, such as a smart TV, a robot cleaner, a car navigation, and the like, and various remote services provided by a cloud service. However, an IoT device and an IoT system having a communication function and a function of autonomously obtaining and processing data are subjected to a cyber attack due to an unclear relationship between a subject of usage and an owner thereof.
In particular, the IoT devices currently constituting an IoT network generally have a simple computing function and a vulnerable security, and hence they are in a state of being vulnerable to an attack from outside. Due to the characteristics of the IoT network, the security vulnerability in a specific area and a cyber attack aiming at this vulnerability may cause an adverse effect that may affect other industrial areas.
As it is impossible to separately install and drive security software in the IoT device that has a simple communication function, an additional effort is needed to embed a security hardware module in the IoT device, to apply a security solution to the entire system, or the like. Examples of the security problem in the IoT include a situation where a malicious code is infected in the IoT device or network so that important information is leaked or tampered to cause a system failure, and an attacker freely controls the IoT device or network in a remote location. In particular, an access of a terminal infected by a malicious code to the network may cause a serious damage to the network. For example, a situation may happen where an automated vehicle, an electric vehicle, or a smart vehicle is remotely controlled to cause an accident, a medical device in a hospital is malfunctioned to threat the life of a patient.
In the IoT network, the integrity of the IoT device should be ensured, it should be clearly known where or not a reliable IoT device is connected to the network, and it should be trusted whether or not a legal user accesses a terminal or the network.
In the conventional information security-related system, an illegal user may acquire personal information, password, and biometric data of a legal user, which is used for hacking into the network. For another example, as personal authentication information is not practically contained in a public key certificate issued by a certification authority, there is vulnerability that a third party can steal the public key certificate and the certificate password to illegally use them. In addition, if a person remotely accesses a business system of a company or a government agency by using a legal terminal with stolen authentication information such as ID, password, or biometric data of a legal user, he or she can freely use the business system without any interruption. It is a typical example of the security problem that, if one has an electronic ID card including an IC chip of an employee of a company, which is picked up on a street, for example, he or she can appropriate the picture or the like and use it at a gate of the company as if he or she is an authorized user. Further, a hacking case is reported in the press, where ID, password, biometric data, token, OTP, and PKI certificate are separately used without consolidating them for multi-factor authentication, and a hacker modifies and tampers them in the middle to hack into a network.